IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
domains, this patch ensures that we always use the ADS backend when
security=ADS, and the remote server is capable.
The routines used for this behaviour have been upgraded to modern Samba
codeing standards.
This is a change in behaviour for mixed mode domains, and if the trusted
domain cannot be reached with our current krb5.conf file, we will show
that domain as disconnected.
This is in line with existing behaviour for native mode domains, and for
our primary domain.
As a consequence of testing this patch, I found that our kerberos error
handling was well below par - we would often throw away useful error
values. These changes move more routines to ADS_STATUS to return
kerberos errors.
Also found when valgrinding the setup, fix a few memory leaks.
While sniffing the resultant connections, I noticed we would query our
list of trusted domains twice - so I have reworked some of the code to
avoid that.
Andrew Bartlett
(This used to be commit 7c34de8096)
session setup. After talking to jht and abartlet I made this unconditional, no
additional parameter.
Jerry: This is a change in behaviour, but I think it is necessary.
Volker
(This used to be commit 3ce6c9f273)
Instead of returning a name in DOMAIN\user format, we now return it in the
same way that nsswtich does - following the rules of 'winbind use default
domain', in the correct case and with the correct seperator.
This should help sites who are using Squid or the new SASL code I'm working
on, to match back to their unix usernames.
Andrew Bartlett
(This used to be commit 7a3a5a6361)
winbind functions to be accessed via NSS. This provides a much cleaner
way for applications that need (for example) to provide name->sid
mappings to do this via NSS rather than having to know the winbindd
pipe protocol (as this might change).
This patch also adds a varient of the winbindd_getgroups() call called
winbindd_getusersids() that provides direct SID->SIDs listing of a
users supplementary groups. This is enough to allow non-Samba
applications to do ACL checking.
A test program for the new functionality will be committed shortly.
I also added the 'wbinfo --user-sids' option to expose the new
function in wbinfo.
(This used to be commit 702b35da0a)
Add support for geting the sequence number, list of users, and list
of groups for a specific domain (assuming on reported back by
wbinfo -m)
wbinfo -u --domain=DOA
(This used to be commit 34fc6e1bf9)
* move rid allocation into IDMAP. See comments in _api_samr_create_user()
* add winbind delete user/group functions
I'm checking this in to sync up with everyone. But I'm going to split
the add a separate winbindd_allocate_rid() function for systems
that have an 'add user script' but need idmap to give them a RID.
Life would be so much simplier without 'enable rid algorithm'.
The current RID allocation is horrible due to this one fact.
Tested idmap_tdb but not idmap_ldap yet. Will do that tomorrow.
Nothing has changed in the way a samba domain is represented, stored,
or search in the directory so things should be ok with previous installations.
going to bed now.
(This used to be commit 0463045cc7)
* remove idmap_XX_to_XX calls from smbd. Move back to the
the winbind_XXX and local_XXX calls used in 2.2
* all uid/gid allocation must involve winbindd now
* move flags field around in winbindd_request struct
* add WBFLAG_QUERY_ONLY option to winbindd_sid_to_[ug]id()
to prevent automatic allocation for unknown SIDs
* add 'winbind trusted domains only' parameter to force a domain member
server to use matching users names from /etc/passwd for its domain
(needed for domain member of a Samba domain)
* rename 'idmap only' to 'enable rid algorithm' for better clarity
(defaults to "yes")
code has been tested on
* domain member of native mode 2k domain
* ads domain member of native mode 2k domain
* domain member of NT4 domain
* domain member of Samba domain
* Samba PDC running winbindd with trusts
Logons tested using 2k clients and smbclient as domain users
and trusted users. Tested both 'winbind trusted domains only = [yes|no]'
This will be a long week of changes. The next item on the list is
winbindd_passdb.c & machine trust accounts not in /etc/passwd (done
via winbindd_passdb)
(This used to be commit 8266dffab4)
- fix winbindd_pam bugs
- give a better error message for unauthorized access to auth_crap
- show this message in wbinfo
- fix spelling: privilaged -> privileged
** This changes the location of the winbindd privileged pipe **
(thanks to tpot)
Andrew Bartlett
(This used to be commit 92c2a33483)
NTLM Authentication:
- Add a 'privileged' mode to Winbindd. This is achieved by means of a directory
under lockdir, that the admin can change the group access for.
- This mode is now required to access with 'CRAP' authentication feature.
- This *will* break the current SQUID helper, so I've fixed up our ntlm_auth
replacement:
- Update our NTLMSSP code to cope with 'datagram' mode, where we don't get a
challenge.
- Use this to make our ntlm_auth utility suitable for use in current Squid 2.5
servers.
- Tested - works for Win2k clients, but not Win9X at present. NTLMSSP updates
are needed.
- Now uses fgets(), not x_fgets() to cope with Squid environment (I think
somthing to do with non-blocking stdin).
- Add much more robust connection code to wb_common.c - it will not connect to
a server of a different protocol version, and it will automatically try and
reconnect to the 'privileged' pipe if possible.
- This could help with 'privileged' idmap operations etc in future.
- Add a generic HEX encode routine to util_str.c,
- fix a small line of dodgy C in StrnCpy_fn()
- Correctly pull our 'session key' out of the info3 from th the DC. This is
used in both the auth code, and in for export over the winbind pipe to
ntlm_auth.
- Given the user's challenge/response and access to the privileged pipe,
allow external access to the 'session key'. To be used for MSCHAPv2
integration.
Andrew Bartlett
(This used to be commit ec071ca3dc)
- NTLMSSP over SPENGO (sesssion-setup-and-x) cleanup and code refactor.
- also consequential changes to the NTLMSSP and SPNEGO parsing functions
- and the client code that uses the same functions
- Add ntlm_auth, a NTLMSSP authentication interface for use by applications
like Squid and Apache.
- also consquential changes to use common code for base64 encode/decode.
- Winbind changes to support ntlm_auth (I don't want this program to need
to read smb.conf, instead getting all it's details over the pipe).
- nmbd changes for fstrcat() instead of fstrcpy().
Andrew Bartlett
(This used to be commit fbb46da79c)
include it in the struct. (Important becouse it currently has the same version
number as the one in HEAD, which also doesn't have this).
Andrew Bartlett
(This used to be commit 0d2da98590)
This adds code to do generic PAM -> NTSTATUS and NTSTATUS -> PAM error
conversions, and uses them to make the error handling in pam_winbind sane.
In particular, pam_winbind now uses PAM error codes, not silly '-1, -2 ...'
stuff, and logs the NTSTATUS error that winbind now sends over the pipe.
Added code to wbinfo to display these - makes a big difference in debugging
winbindd.
The main change here is the code to allow pam_winbind password changing to
correctly stack - This code ripped from pam_unix, and the copyright attached.
(Same as for all pam modules, including pam_winbind)
Andrew Bartlett
(This used to be commit dc1a72f896)
the sid->uid and uid->sid conversions.
Remove some duplicate arguments from these funcitons, and update the
request/response structures for this and the 'winbind domain name' feature.
As such 'winbindd_lookup_name' now takes both a domain and username.
(This used to be commit ce1b4d4c30)
swedish" test to client calls. This is putting a length field at the
start of a request so we can disconnect clients talking with an out of date
libnss_winbind.so rather than deadlock them.
Misc cleanups:
- made some int values uint32
- moved WINBIND_INTERFACE_VERSION to start of cmd list
(This used to be commit a4af65b9b9)
smb.conf to get it right.
While wb_client needs its lp_load() for samba dependency reasons, it now uses
the new method both to example and test the new code.
Also add an interface version function, and return the winbind's samba version
string.
In preperation for default domains, its now up to winbindd to reject plaintext
auths that don't have a seperator, but NTLM (CRAP) auths now have two feilds,
hence need parsing.
Andrew Bartlett
(This used to be commit 2bd2a092ee)
It adds a 'ping' request, just to check winbind is in fact alive
It also changes winbindd_pam_auth_crap to take usernames and domain seperatly.
(backward incompatible change, needs merge to 2.2, but this is not yet released
code, so no workarounds)
Finally, it adds some debugs and fixes a few memory leaks (uses talloc to do
it).
Andrew Bartlett
(This used to be commit 6df29bfe33)
when they are added or removed on the PDC.
- renamed GETPWNAM_FROM_{UID,USER} constants and functions to GETPW{NAM,UID}
- renamed GETGRNAM_FROM_{GID,GROUP} constants and functions to GETGR{NAM,GID}
- use SIGUSR2 in winbindd for debugging/logging instead of SIGUSR1 in
preparation for moving to smbcontrol type messages (not sure whether to
ditch this altogether or not)
- tidy debugging messages in top level winbind user and group routines
- convert talloc_init() to talloc_init_named()
- make enumerations of the domain list use the same local variable names
(This used to be commit eeb8af9c1a)
Authentication Protocol (CRAP) takes a tuple of (username, random
challenge, encrypted lm password, encrypted nt password) where the
passwords are encrypted with the random challenge ala ntlmssp.
(This used to be commit 11f72a78e3)
